LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-43938

CVE-2026-43938 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: May 12, 2026

YetAnotherForum.NET - Stored XSS

Published: May 12, 2026Updated: May 12, 2026Remote Exploitable

Overview

YetAnotherForum.NET prior to 4.0.5 and 3.2.12 contains a stored XSS caused by improper encoding of User-Agent header in admin event-log page, letting attackers execute scripts in admin context, exploit requires admin to view event log.

Severity & Score

Severity: High
CVSS Score: 8.1
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary scripts in the admin interface, potentially leading to session hijacking or further administrative compromise.

Mitigation

Update to versions 4.0.5 or 3.2.12 or later.

References

Social Media Activity(4 posts)

TheHackerWire
TheHackerWire
@thehackerwire
May 12, 2026

šŸŸ  CVE-2026-43938 - High (8.1) YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger (YAFNET.Core/Logger/DbLogger.cs) captures the incoming request's User-Agent header into a JObject, serializes it with JsonConvert, an... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-43938/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
May 12, 2026

šŸŸ  CVE-2026-43938 - High (8.1) YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger (YAFNET.Core/Logger/DbLogger.cs) captures the incoming request's User-Agent header into a JObject, serializes it with JsonConvert, an... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-43938/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
May 12, 2026

šŸŸ  CVE-2026-43938 - High (8.1) YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger (YAFNET.Core/Logger/DbLogger.cs) captures the incoming request's User-Agent header into a JObject, serializes it with JsonConvert, an... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-43938/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
May 12, 2026

šŸŸ  CVE-2026-43938 - High (8.1) YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger (YAFNET.Core/Logger/DbLogger.cs) captures the incoming request's User-Agent header into a JObject, serializes it with JsonConvert, an... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-43938/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-43938
Severity
High
CVSS Score
8.1
Type
stored_xss
Status
new
EPSS
0.0%
Social Posts
4

CWE

  • CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS Score

0.0%Probability of exploitation in the next 30 days